Hey everyone I have a scenario at hand and wanted to figure DataHub #troubleshoot

Hey everyone! I have a scenario at hand and wanted...

cool-painting-92220

03/03/2022, 1:49 AM

Hey everyone! I have a scenario at hand and wanted to figure out the best recommended practice for ensuring security in usage of datahub: a teammate and I both have access to the base admin account (user datahub). My Snowflake credentials are currently stored in a secure recipe file and used for our ingestion jobs. We recently updated our platform to the new UI instance, where ingestion jobs can be scheduled and managed from an admin account's UI. We would prefer to start managing our recipe/ingestion job through the UI, but I would want to preserve the secrecy of my Snowflake credentials for the recipe. I saw that a new feature for

Secrets

has been added that could be related to what I'm looking for, but I'm not too familiar with its limitations/capabilities. Is there a best practice out there for this situation?

big-carpet-38439

03/03/2022, 5:02 PM

Hi Shivan! Thanks for the detailed question. You're spot on - the recommendation for keeping things secure when managing ingestion through the UI is to create secrets. Secrets are non-readable, encrypted secrets which are resolved just before the recipe is finally executed by DataHub. The UI Ingestion Guide should walk you through the process of a) creating and b) referencing these secrets inside of your UI recipes

plus1 1

cool-painting-92220

03/03/2022, 8:45 PM

Great thanks @big-carpet-38439! To make sure I understood the guide correctly, would this be a proper approach to securing my information while still giving my teammate access to our ingestions: 1. Assumed Fact: Anyone who has the

Manage secrets

privilege can view all secrets for the platform. 2. My teammate and I would both be assigned

Manage ingestion jobs

privileges 3. My account would additionally be assigned the

Manage secrets

privilege 4. This way, my teammate can still access/schedule jobs and modify the recipes, and the credentials can still be stored and protected (accessible only to me). 5. Assumed Fact: This would require stripping the admin

datahub

user of the

Manage secrets

privilege so it can no longer view my credentials (since my teammate has access to that user account's login still)

cool-painting-92220

03/07/2022, 10:05 PM

Hey @big-carpet-38439, did you get a chance to look at this to confirm if I have everything correct?

big-carpet-38439

03/08/2022, 11:41 PM

Hi Shivan looking now

big-carpet-38439

03/08/2022, 11:41 PM

Hi @cool-painting-92220 - Yes this is spot on

plus1 1

thank you 1

big-carpet-38439

03/08/2022, 11:41 PM

Alternatively, you could change the password for the root "datahub" user

cool-painting-92220

03/09/2022, 1:40 AM

Awesome thanks! I'll probably have to follow the steps I listed above, because my coworker will very likely need access to the root datahub user for other functions

big-carpet-38439

03/14/2022, 11:21 PM

Okay that makes sense ! I can help you to remove that privilege - it comes with the DataHub user privileges by default

2 Views

Open in Slack

Previous Next